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1, 


1.1 


1.2 


1.3 


1.4 


Introduction 


The ICO introduced the Regulatory Sandbox (‘Sandbox’) service to support organisations who are developing products or 
services that use personal data in innovative and safe ways and where such products or services deliver a potential public 
benefit. 


The ICO initially launched the Sandbox as a beta phase, for an initial group of participant organisations during 2019-2020. 
In August 2020, the ICO re-opened the Sandbox with a focus on projects involving one of two themes, children’s privacy or 
data sharing. The ICO stated that projects submitted should be at the cutting edge of innovation and may be operating in 
particularly challenging areas of data protection, where there is genuine uncertainty about what compliance looks like. 


Organisations who were selected for participation in the Sandbox following its reopening have had the opportunity to engage 
with us; draw upon our expertise and receive our advice on mitigating risks and implementing ‘data protection by design’ 
into their product or service, whilst ensuring that appropriate protections and safeguards are in place. The Gambling 
Commission was one of the candidates selected for participation in the Sandbox after it re-opened. 


The Gambling Commission (‘the Commission’) is an executive non-departmental public body, sponsored by the Department 
for Digital, Culture, Media & Sport, who license and regulate the people and businesses that provide gambling in Great 
Britain!. It was set up under the Gambling Act 2005 to regulate commercial gambling in Great Britain in partnership with 
licensing authorities?. 


! https://www.gamblingcommission.gov.uk/home.aspx 
? https://www.gamblingcommission.gov.uk/about/About-us.aspx 


Page 3 of 29 


ico. 


Information Commissioner's Office 


1.5 The Commission entered the Sandbox to explore the concept of Single Customer View (‘SCV’). SCV will allow data, which 
already exists around individual player behaviours to be aggregated to drive better decision making, actions and evaluation 
to reduce gambling related harms? across all online gambling operators. 


1.6 The Commission was accepted into the Sandbox on 23 November 2020. On 1 December 2020, the ICO and the Commission 
engaged in a virtual scoping meeting to support the creation of the objectives and tasks of the Commission’s bespoke 
Sandbox plan. The content of the Commission’s Sandbox plan was agreed to by the Commission on 21 December 2020 and 
Phase 1/Objective 1 of the Sandbox plan was subsequently approved by the ICO on 16 January 2021, which would be the 
focus of initial work in the Sandbox. 


1.7 In Phase 1/Objective 1 of the Sandbox plan, the Commission received informal steers (‘steers’) from the ICO in respect of 
lawful basis and special category data processing and its associated conditions in relation to the sharing of data between 
online gambling operators via SCV. These steers were provided to the Commission in a virtual workshop on 11 May 2021 
and confirmed in writing on 17 May 2021. Following this, a further legal review of the steers was undertaken by the ICO, 
and the steers have been updated. This report summarises the work the Commission and ICO have undertaken as part of 
Phase 1/Objective 1 of the Sandbox plan and provides details of the updated steers. 


1.8 It is important to note that for the purpose of the Sandbox, a conceptual model for SCV was considered. Therefore, the 
steers provided by the ICO, and contents of this report could be subject to change due to factors including the specific 
technical specification, architecture, or construction of the SCV solution developed by industry or if any additional factual 
information is provided to the ICO about the processing activity. 


3 The ICO understands gambling related harms are the ‘adverse impacts from gambling on the health and wellbeing of individuals, families, 
communities and society’. These can include, but are not limited to, financial impacts, loss of employment, debt, crime, breakdown of 
relationships and deterioration of physical and mental health. At worst, gambling can contribute to loss of life through suicide - 
https://assets.ctfassets.net/jl6ev64qyf6l/5tpgsNwwUmqWzDEmvd2jxG/666e97cbb55a13b47c17854c2426d7af/Measuring-gambling-related- 
harms-framework.pdf 
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1.9 


The publication of this report is the final task in Phase 1/Objective 1. A review of progress will be carried out for the 
Commission and ICO to make a joint decision as to whether the Commission continues into Phase 2 of its Sandbox 
participation. Phase 2 is likely to focus on exploring potential data sharing solutions and considering wider compliance with 
the data protection legislation. 


Previous ICO engagement on gambling related harms 


1.10 The ICO has been in discussions with the Commission since 2019 regarding the sharing of personal data to prevent harm 


from gambling. In February 2020, the ICO gave a workshop at the Commission’s event which looked at the data protection 
considerations specific to the proposed SCV. Gambling operators, technology companies and the Betting and Gaming Council 
(‘BGC’) attended this event. 


In 2019, the House of Lords Gambling Industry Select Committee (‘the Committee’) was appointed to consider the social 
and economic impact of the gambling industry; with the Committee subsequently opening an inquiry. Several issues were 
raised during the evidence sessions for this inquiry, with the data protection legislation being one. Gambling operators had 
said that they held a significant amount of data concerning their online customers and a large amount of information on 
play, but they were not able to share this data with other operators because the General Data Protection Regulation 

( GDPR/) prevents this. In March 2020, the ICO provided evidence* to the Committee which, in summary, advised that data 
protection law should not be considered a barrier to sharing personal data. 


In July 2020, the Committee published a report titled ‘Gambling Harm - Time for Action”, in which they made several 
recommendations, some of which were directed at the ICO. The Committee recommended that the ICO work with the 
Commission, the BGC and UK Finance, to resolve perceived data protection barriers to sharing personal data in order to 
protect customers from harm related to gambling (see recommendations 30 and 33 of the Committee’s report) and 


^ https://committees. parliament.uk/writtenevidence/739/html/ 
? https://committees. parliament.uk/publications/1700/documents/16622/default/ 
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recommended an approach based on affordability - ie can the customer afford the amount of money they are spending 
when they gamble. In January 2021, following the Commission’s entry into the Sandbox, the ICO issued a formal response® 
to the recommendations in the Committee’s report. In summary, the ICO’s response explained the ICO’s current work in this 
area and confirmed the ICO was working with the Commission and other appropriate bodies to address perceived barriers to 
sharing personal data in order to protect customers from harm related to gambling. 


1.13 The Commission requires individual gambling operators to identify customers at risk of harm and take action for those 
customers. In November 2020, the Commission launched a public consultation and call for evidence in respect of 
strengthening the requirements for customer interaction by remote operators^?, which closed in February 2021. This 
consultation proposed that gambling operators would be required to implement identification of customers at risk of harm 
through a set of core indicators, as follows: 


e consumer spend; 

e patterns of spend; 

e time spent gambling; 

e gambling behaviour indicators; 

e customer-led contact; 

e use of gambling management tools; and 
e account indicators. 


1.14 The Commission has since published an update on their consultation and call for evidence, including their planned next 
steps’. The ICO understands that the Commission will publish the requirements, including those relating to identification of 
customers at risk, through a core set of indicators of harm later in 2021. An aim of this consultation is that operators 





6 https://ico.org.uk/media/about-the-ico/consultations/2619137/ico-response-to-hols-gambling-industry-sc-report-on-gambling-harms.pdf 
7 https://www.gamblingcommission.gov.uk/news/article/update-on-remote-customer-interaction-consultation 
8 https://consult.gamblingcommission.gov.uk/author/remote-customer-interaction-consultation-and-call/ 
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identify customers at risk through consistent application of the core indicators above. Subject to the finalisation of the 
consultation process, it is understood that SCV could take advantage of this consistent application in the sharing of data 
across operators. 


2. Executive summary 


2.1 As part of Phase 1/Objective 1 of the Commission's Sandbox plan, the Commission and the ICO agreed to work together to: 


e Establish whether there is an appropriate lawful basis under Article 6 of the UK General Data Protection Regulation 
(‘UK GDPR’) that allows for the sharing of behavioural? or affordability data between online gambling operators via 
SCV, including the examination of existing legal gateways; and 


e Consider the processing of special category personal data and the appropriateness of Article 9 conditions for 
processing under the UK GDPR. 


2.2 In order to achieve Phase 1/Objective 1, the ICO and the Commission agreed to complete some specific tasks and actions, 
which are summarised as follows: 


e An external meeting would be held with the Commission to understand what data is likely to be shared and what the 
SCV solution may consist of conceptually. This would include a discussion of any existing legal advice previously 
provided to the Commission. 


e An internal workshop would be held within the ICO to explore possible lawful bases and special category data 
conditions, with relevant ICO colleagues involved in subsequent discussions as appropriate. 





? Please refer to Paragraph 2.3 for more detail of what behavioural data comprises. 
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e An external workshop would be held with the Commission to explore the outcomes from the above tasks and to 
discuss next steps. 


e An interim report would be developed with the Commission’s input to communicate the outcomes of Phase 
1/Objective 1 to the public, which would be published on the ICO’s website. 


2.3 Through the completion of the above tasks via meetings, workshops and email correspondence and based on the 
information provided by the Commission, the ICO provided steers regarding the topics outlined in Phase 1/Objective 1 of the 
Commission's Sandbox plan. These steers were based on the sharing of behavioural data only (but not affordability data), 
which to clarify, in addition to behavioural, comprises financial and play style data related to the customer, a full list of 
which can be found in appendix 1. The reasons for this are discussed in the main body of this report. 


2.4 Upon the provision of the ICO's steers, the Commission were made aware that they were based on the ICO's understanding 
of the SCV as of 17 May 2021??. In summary, in respect of the proposed collection and processing of behavioural data via 
the SCV, the ICO is of the view that: 


e The sharing of behavioural data between gambling operators in order to identify individuals who may be ‘at-risk’ of 
gambling related harms via the SCV may be lawful under Article 6 (1)(e) ‘Public Task’ or Article 6 (1)(f) ‘Legitimate 
Interests’ of the UK GDPR: 


o ‘Public task’ requires there to be a basis in law, for the gambling operators to share the data for the SCV, and 
for that sharing to be carried out in the public interest. This does not require there to be a legal obligation, but 
there must be a domestic law from which this processing originates. While we are satisfied that this condition 





10 Please note, as explained earlier in this report, the steers provided by the ICO have been updated following a further legal review and could be 
subject to further change due to factors including the specific technical specification, architecture, or construction of the SCV solution developed 
by industry or if any additional factual information is provided to the ICO about the processing activity. 
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may apply, a further analysis of the specific circumstances will be needed (once the SCV has been further 
developed) to ensure the sharing is necessary and proportionate to meet those aims. 


o ‘Legitimate Interests’ encompasses the interests of a number of parties including those individuals at risk of 
problem gambling, the interests of gambling operators in meeting their legal requirements and those of society 
at large. These must be balanced against the interests and fundamental rights and freedoms of all the data 
subjects whose data may be shared. Again, we are satisfied that this condition may apply, but as the SCV is 
developed, a further analysis will be needed to consider how this condition applies in the specific circumstances. 


e Both lawful bases outlined above would provide a discretionary gateway to the processing. Both require an 
assessment of the proportionality of the processing when the benefits to those individuals who are at risk, are 
balanced against the potential detriment to all the data subjects whose data will be shared in connection with the SCV 
and both allow for data subjects to object. 


e Should changes be made to the gambling legislation or if the Commission inserted a new requirement into the Licence 
Conditions and Codes of Practice ('LCCP^)!! about implementing the SCV, gambling operators may rely on Article 6 
(1)(c) ‘Legal Obligation’ of the UK GDPR as the lawful basis for processing. Following the provision of this view, the 
Commission has indicated that it may be prepared to consult on introducing such a requirement into the LCCP, setting 





11 https://www.gamblingcommission.gov.uk/licensees-and-businesses/Iccp/online 
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out an absolute requirement to share data via the SCV??, however a change in legislation would likely take a 
substantial amount of time. 


e We will need to consider which parties are acting as controllers and processors in more detail if progressing to Phase 
2 of the Sandbox plan. 


e The ICO is of the view that it is likely that some elements of the data proposed to be processed via the SCV may 
qualify as special category data. As processing special category data requires an Article 9 condition in the UK GDPR, it 
is good practice to identify this potential condition as early as possible, because the UK GDPR prohibits the processing 
of special category data without an Article 9 processing condition. The ICO considers Article 9 (2)(g) 'processing is 
necessary for reasons of substantial public interest' may be appropriate. 


e In addition to the above, the ICO considers that Schedule 1, Part 2, Paragraphs 18 ‘Safeguarding of children and 
individuals at risk' or 19 'Safeguarding of economic well-being of certain individuals' of the Data Protection Act 2018 
(‘DPA 2018’) may be appropriate substantial public interest conditions to enable reliance on Article 9 (2)(g). 


2.5 Additionally, the ICO explained that for any processing to be lawful, all data protection principles outlined in Article 5 of the 
UK GDPR need to be complied with alongside other aspects of the UK GDPR, such as Article 25 data protection by design 
and by default. As explained in ICO guidance,?? lawfulness also means that you don’t do anything unlawful in a more general 


1? The ICO also considered whether amending the formal guidance on customer interaction (formal guidance under Social Responsibility Code 
3.4.1: Customer interaction: formal guidance for remote gambling operators - Gambling Commission) to require the sharing of data via the SCV 
could be enough to demonstrate a legal obligation within the meaning of Article 6 of the UK GDPR. While this is arguable, on balance we 
consider that this would not be sufficient, as the Commission indicated that the remote customer interaction guidance does not form an absolute 
requirement; rather it presents additional information about how operators should implement the requirements, and which operators are 
required to take into account. 

13 https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/lawfulness- 
fairness-and-transparency/#lawfulness 
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3.2 


sense, which includes non-compliance with statute and common law obligations whether criminal or civil!^. As outlined 
earlier in this report, if the Commission continues into Phase 2 of its Sandbox participation, the focus will likely be on 
exploring potential data sharing solutions and considering wider compliance with the data protection legislation. 


Product description 


SCV aims to identify ‘at-risk’ individuals, who engage in gambling across several online operators via multiple accounts, 
through the sharing of data between online gambling operators, via SCV, to create a more holistic view of an individual's 
spending and gambling activity. By identifying 'at-risk' individuals effectively, the objective of SCV is to ensure more 
appropriate and consistent intervention at a customer service level by individual operators to support individuals and reduce 
gambling related harms. 


The ambition for SCV is to reduce gambling related harms and we understand that industry have presented several options 
of how to achieve these aims to the Commission. We have considered what the Commission deemed as the most 
comprehensive model for SCV presented to them by industry in order to fully understand potential risks around SCV. As 
such the conceptual model operates as follows: as an individual hits different trigger points, each individual online gambling 
operator will share the data with the SCV solution where in turn it will be subject to an algorithm that produces a ‘risk score’ 





1^ ICO guidance states processing may also be unlawful if it results in a breach of industry -specific legislation or regulations, a breach of the 
Human Rights Act 1998, alongside others - https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- 
regulation-gdpr/principles/lawfulness-fairness-and-transparency/#lawfulness 
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3.3 


3.4 


or ‘banding’ for an individual. The ‘risk score’ or ‘banding’ will be shared with other online gambling operators and 
interventions are expected to be made based on an individual's level of risk!^. 


The ICO understands that the exact data set and what datapoints online gambling operators will be expected to provide and 
in what form is still to be confirmed and this conceptual understanding of the SCV could change depending on the SCV 
solution developed by industry'®. Depending on the solution applied for SCV, it could also offer a solution for customer-led 
gambling management tools to be applied across multiple operators. Again, as outlined earlier, the steers and conclusions in 
this report could be subject to change depending on the specific technical specification, architecture or construction of the 
SCV solution developed by industry. 


In addition to behavioural data, the ICO understands that the Commission is considering the extent to which more detailed 
"Know Your Customer' data could be incorporated into the SCV and potentially explored within the Sandbox (eg customer 
provided or credit reference data on consumer income, financial vulnerability or likelihood that the gambling is 
unaffordable). We note that this is different from financial or transactional data (eg how much money an individual spends in 
a session). Through engaging with the Commission during Phase 1/Objective 1 of their Sandbox participation, the ICO 
understands that affordability checks are currently completed differently by each gambling operator and this will be 
considered further depending on the SCV solution. Due to this, the ICO has not considered the incorporation of affordability 
data into the SCV at this time and the ICO's steers delivered to the Commission (and updated in this report) apply only to 
behavioural data. If the Commission decide to proceed to Phase 2, the incorporation of affordability data into the SCV may 
be explored in more detail. 


15 Paragraph 1.13 of this report provides further details of the set of core indicators proposed by the Commission in their public consultation in 
respect of strengthening the requirements for customer interaction by remote gambling operators in which operators would be required to 
implement to identify customers at risk of harm. Paragraph 1.14 provides more information on when the Commission is likely to publish the 
requirements. 

16 The ICO is aware that any proposed SCV solution must be readily usable by larger and smaller operators alike. 
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4. 


4.1 


4.2 


4.3 


Key data protection considerations 


As outlined above, due to the uncertainties regarding the proposed use of affordability data in the SCV, the steers provided 
by the ICO to the Commission apply only to behavioural data in the SCV. 


The Commission has been advised that the data protection implications of any wider data sets intended to be used or shared 
in the SCV, such as affordability data, should be considered separately, based on their own merits and the factual situation. 
Therefore, when intending to incorporate affordability data into the SCV solution, the data protection risks will need to be 
considered separately, to ensure the use of this data is compatible with the purpose for processing, an appropriate lawful 
basis has been identified, alongside other data protection considerations. 


Below is a Summary of the ICO’s understanding of the key facts as of 17 May 2021, when the ICO’s steers were provided to 
the Commission in writing, and the considerations made regarding the topics outlined in Phase 1/Objective 1 of the 
Commission’s Sandbox plan. 


Gambling legislation and guidance 


4.4 


The ICO understands that gambling operators are required to comply with the conditions of their operating licences, issued 
under the Gambling Act 2005. Section 11” of the Gambling Act 2005 sets out three licensing objectives which underpin the 
licensing regime, one of which is "(c) protecting children and other vulnerable persons from being harmed or exploited by 
gambling". 





17 https://www.legislation.gov.uk/ukpga/2005/19/section/1 
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4.5 


4.6 


Section 241? of the Gambling Act 2005 provides that the Commission can issue codes of practice about the manner in which 
facilities for gambling are provided. It adds a code shall describe arrangements that should be made by a person providing 
facilities for gambling for the purposes of “(a) ensuring that gambling is conducted in a fair and open way, (b) protecting 
children and other vulnerable persons from being harmed or exploited by gambling, and (c) making assistance available to 
persons who are or may be affected by problems related to gambling." Section 821° of the Gambling Act 2005 states that 
any operating licence is subject to the condition that gambling operators comply with any social responsibility provision of a 
code of practice issued under Section 24. 


The LCCP?° sets out social responsibility code provisions, compliance with which is a condition of operating licences. 
Paragraph 3.4.1 of the LCCP, which forms part of the social responsibility provisions, states “(1) Licensees must interact 
with customers in a way which minimises the risk of customers experiencing harms associated with gambling. This must 
include: (a) identifying customers who may be at risk of or experiencing harms associated with gambling, (b) interacting 
with customers who may be at risk of or experiencing harms associated with gambling, (c) understanding the impact of the 
interaction on the customer, and the effectiveness of the Licensee’s actions and approach” and (2) that “licensees must take 
into account the Commission’s guidance on customer interaction”. In respect of this, the Commission has issued formal 
guidance for remote gambling operators on customer interaction under the social responsibility code 3.4.1?!. 


Current processing conducted by online gambling operators 


4.7 


Through our engagement with the Commission, the ICO understands that online gambling operators currently process 
behavioural data to identify and guide interactions with individuals who may be at risk of or experiencing gambling related 


18 https://www.legislation.gov.uk/ukpga/2005/19/section/24 

19 https://www.legislation.gov.uk/ukpga/2005/19/section/82 

20 https://www.gamblingcommission.gov.uk/licensees-and-businesses/Iccp/online 

21 Formal guidance under Social Responsibility Code 3.4.1: Customer interaction: formal guidance for remote gambling operators - Gambling 
Commission 
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4.8 


4.9 


harms, in accordance with their obligations under paragraph 3.4.1 of the LCCP. Examples of such behavioural data include 
time and money spent gambling, refund requests, use of multiple payment methods, bonus or offer requests, adverse 
information supplied (via customer service eg declaration of a gambling problem or change in circumstances), behavioural 
indicators such as payday spending, alongside others. A list of the data can be found in appendix 1. 


The ICO understands that the data collected varies from one online gambling operator to another and online gambling 
operators have a certain amount of discretion in how they identify customers who may be at risk, how interventions are 
made etc?*. There is currently no sharing of data relating to individuals identified as ‘at-risk’ between online gambling 
operators. The ICO understands that gambling operators are controllers in relation to any personal data currently processed 
to identify and interact with individuals who may be at risk of or experiencing gambling related harms and that the majority 
of the gambling operators use Article 6 (1)(c) ‘Legal obligation’ as their lawful basis for processing this data under the UK 
GDPR. 


In addition, the ICO also understands from engaging with the Commission that there is a multi-operator self-exclusion 
scheme, GAMSTOP, which allows individuals to self-exclude from all online gambling operators with one request, rather than 
needing to make a separate request with each operator individually. GAMSTOP is a service that users have to opt in to. The 
Commission has advised there will always be those experiencing gambling related harm that do not take up gambling 
management tools, including GAMSTOP, which is why it is important that operators are required to identify harm and act to 
reduce harm. 


Based on the information known as of 17 May 2021, the ICO provided steers to the Commission regarding the topics 
outlined in Phase 1/Objective 1 of the Commission’s Sandbox plan. These steers were given without prejudice to any future 


22 As outlined in paragraph 1.14 of this report, an aim of the Commission's public consultation in respect of strengthening the requirements for 
customer interaction by remote gambling operators is that SCV will allow consistent approach to identifying customers at risk. 
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intervention by the Information Commissioner in accordance with her tasks and powers, in line with the ICO’s Regulatory 
Action Policy??. 


Lawful basis 


4.11 The ICO advised the Commission that it is of the view that if the Commission is satisfied that the proposed collection and 
processing of the personal data via the SCV is necessary to identify individuals who may be at risk of gambling related 
harms, the processing may be lawful under Article 6 (1)(f) ‘Legitimate Interests’ or under Article 6 (1)(e) ‘Public Task’ of the 
UK GDPR. 


4.12 Both lawful bases outlined above would provide a discretionary gateway to the processing, both depend on the solution 
developed by industry for the SCV being a proportionate solution, considering the risks and benefits of sharing the data in 
this way, and both allow data subjects to object. In particular: 


e ‘Public task’ requires there to be a basis in law, for the gambling operators to share the data for the SCV, and for that 
to be carried out in the public interest. This does not require there to be a legal obligation, but there must be a 
domestic law from which this processing originates. While we are satisfied that this condition may apply, a further 
analysis of the specific circumstances will be needed (once the SCV has been further developed) to ensure the sharing 
is necessary and proportionate to meet those aims. 


e ‘Legitimate Interests’ encompasses the interests of a number of parties including those individuals at risk of problem 
gambling, the interests of gambling operators in meeting their legal requirements and those of society at large. These 
must be balanced against the interests and fundamental rights and freedoms of all the data subjects whose data may 





23 https://ico.org.uk/media/about-the-ico/documents/2259467/regulatory-action-policy.pdf 
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be shared. Again, we are satisfied that this condition may apply, but as the SCV is developed, a further analysis will 
be needed to consider how this condition applies in the specific circumstances. 


In addition to this, should changes be made to the gambling legislation or LCCP, the ICO is of the view that Article 6 (1)(c) 
‘Legal Obligation’ could be a possible lawful basis, which would obviously then make such sharing a legal requirement. We 
also considered (and dismissed) whether changing the guidance would constitute a legal obligation which is discussed 
further below. 


Article 6 (1)(e) ‘Public Task’ of the UK GDPR 


Article 6 (1)(e) 'Public Task' of the UK GDPR can be relied upon to perform a specific task that is considered to be in the 
public interest, as set out in law. The ICO is of the view that this requirement may be met in the context of the SCV, by 
virtue of the fact that first, the reason for the gambling operators to share data for the SCV (the task in question) originates 
in the above-mentioned provisions of the Gambling Act 2005 and LCCP. Second, the gambling operators would be sharing 
the data (carrying out that task) in the public interest. In line with the ICO's guidance?^, gambling operators could point to 
the LCCP and accompanying guidance from the Commission to demonstrate the necessary basis in law. Gambling operators 
could also point to any specific guidance issued by the Commission on sharing data for this purpose in order to demonstrate 
that such sharing is considered to be in the public interest. Sharing the data must be a necessary and proportionate way for 
the gambling operators to perform that task, and this requirement will be reviewed as the SCV develops. 


If gambling operators rely on public task as the lawful basis for processing, individuals do not have the right to erasure or 
data portability. However, individuals do have a right to object. Although the right to object is not an absolute right, as 
processing can continue if there is a compelling justification for the processing which overrides the individual's interests, any 
objection received needs to be considered on a case-by-case basis by the operator(s). Therefore, gambling operators would 


24 https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for- 
processing/public-task/ 
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need to consider how best to explain this in their privacy information and ensure there is a mechanism in place for 
objections to be made and considered. This process could be part of a helpful dialogue between gambling operators and 
their customers. A Code of Conduct for SCV could be considered, which would be helpful in setting industry-agreed 
standards for responding to objections. Gambling operators’ privacy information should also include information about their 
purposes and lawful basis. 


Article 6 (1)(f) ‘Legitimate Interests’ of the UK GDPR 


Article 6 (1)(f) ‘Legitimate Interests’ of the UK GDPR provides a lawful basis for processing where processing is necessary 
for the purposes of the legitimate interests pursued by the controller or by a third party, except for when such interests are 
overridden by the interests or fundamental rights and freedoms of the data subject. 


The ICO understands that gambling operators may feel the processing is not for their direct benefit, therefore they do not 
have a legitimate interest. However, the gambling operators do have a legitimate interest in meeting their legal 
requirements and following guidance given by the Commission. In addition, as is made clear in ICO guidance?, legitimate 
interests are not limited to the gambling operators’ own interests, as legitimate interests can be interests of third parties 
such as those individuals with gambling problems, commercial interests as well as wider societal benefits. These interests 
must be balanced against the interests, rights or freedoms of all the data subjects whose data is shared. While this will 
depend on the specific circumstances of the SCV, based on its current understanding of the SCV, the ICO is satisfied that 
prima facie this requirement would be satisfied. Additionally, sharing the personal data must be a necessary and 
proportionate way to meet those legitimate interests, and this requirement will be reviewed as the SCV develops. 


Reliance on Article 6 (1)(f) requires the completion of a legitimate interest assessment (‘LIA’), and a data protection impact 
assessment (‘DPIA’) if the LIA identifies any high risks. 


25 https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for- 
processing/legitimate-interests/ 
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4.19 


4.20 


4.21 


If gambling operators choose to rely on legitimate interests as the lawful basis for processing, individuals do not have the 
right to portability. However, individuals do have the right to object. As explained, for reliance on the public task lawful 
basis, gambling operators would need to consider how best to explain this in their privacy information and ensure there is a 
mechanism in place to make and consider objections. In the case of legitimate interests, gambling operators’ privacy 
information must also explain what the legitimate interests are. 


Article 6 (1)(c) ‘Legal Obligation’ of the UK GDPR 


The ICO is of the view that if the LCCP were amended to insert a specific licence condition requiring operators to implement 
the SCV, it is likely that the ICO would accept that the LCCP imposes a legal obligation on the gambling operators, such that 
the operators could rely on Article 6 (1)(c) of the UK GDPR. The ability to rely on Article 6 (1)(c) will obviously depend on 
how any new obligation in the LCCP is expressed. 


In respect of the above, and as explained earlier in this report, the Commission has indicated that it may be prepared to 
consult on introducing such a requirement into the LCCP if that is necessary. This is considered the more appropriate vehicle 
for imposing a legal obligation on operators to share personal data via the SCV, as the remote customer interaction 
guidance does not form an absolute requirement; rather it presents additional information about how operators should 
implement the requirements and which operators are required to take into account. 


Special category data 


4.22 


As explained in the ICO’s guidance?$, the UK GDPR outlines some types of personal data that are considered to be more 
sensitive, referred to as 'special category data', which, relevant to the Commission's Sandbox participation, includes data 
concerning health. Special category data also includes personal data revealing or concerning these details. It may be 


?6 https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/special-category- 
data/what-is-special-category-data/#scd1i 
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4.23 


4.24 


possible to infer or guess details about someone which fall within special categories of data, and whether this counts as 
special category data and triggers Article 9 of the UK GDPR depends on the certainty of the inference and whether the 
inference is being deliberately drawn. If you can infer relevant information with a reasonable degree of certainty, then it is 
likely to be special category data even if it is not a cast-iron certainty?’. 


Please note, the ICO has not considered at what point a combination of datapoints may indicate a gambling addiction or 
whether gambling addiction is in and of itself a mental health condition. However, it notes that gambling addiction has been 
described as a mental health condition in a number of contexts. For instance, the House of Lords Gambling Industry Select 
Committee report on Gambling Harms?’, quoted the then Secretary of State for Health and Social Care, as stating “gambling 
addiction is a mental health issue... We [the Government] are reviewing the Gambling Act because no one had smartphones 
in 2005 and we're putting mental health at the heart of that review". The ICO also notes that the NHS website for England? 
states “being a compulsive gambler can harm your health and relationships...”. 


The ICO is of the view that the behavioural datapoints on their own are unlikely to be special category data if simply 
recording session time or stakes. Although, we note that the exact datapoints to be shared with the SCV are still being 
determined and our view on this point may alter as these are refined. However, if the data shared by gambling operators to 
be processed by the SCV is indicative of health issues (such as gambling addiction), those elements of the data may become 
special category data. This depends on how certain the inference is and whether that inference is deliberately drawn and 
influences activities in any way. The ICO explained to the Commission that gambling operators and the SCV system need to 
consider at what point (if at all) the data they are processing indicates health issues with any reasonable degree of 
certainty. 





27 https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/special-category- 
data/what-is-special-category-data/#scd7 

28 https://committees. parliament.uk/publications/1700/documents/16622/default/ 

29 https://www.nhs.uk/live-well/healthy-body/gambling-addiction/ 
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4.25 Specifically, the ICO reached the following conclusions in respect of the proposed processing??: 


It is unlikely (in most cases) that the proposed processing of individual session or financial data sets by the gambling 
operators and then the SCV, is special category data at the initial stage. The processing might identify an individual 
who may be at risk, but it would appear there is no certainty that the data is indicative of health issues and the 
gambling operators are not deliberately drawing any health inferences at this stage. 


Once the SCV has produced a ‘risk score’ or ‘banding’ for an individual deemed ‘at-risk’, whether or not this is special 
category data will depend on how certain the gambling operators are that this is indicative of health issues, for at 
least some of the individuals or whether they are deliberately drawing any inferences (even if there is some 
uncertainty). This will be a matter for the gambling operators to judge based on their understanding of customer 
behaviour. The ‘risk score’ or ‘banding’ is not special category data if it is to be simply indicative of financial 
vulnerability. 


Once the ‘risk score’ or ‘banding’ produced by the SCV is provided to the gambling operators, if gambling operators 
subsequently process personal data to intervene in the case of an individual who they have inferred has a health 
issue, this would be special category data, as they are treating someone differently on the basis of that inference. 


4.26 Considering the above, the ICO is of the view that it is likely that some elements of the data to be processed by the SCV 
may be special category data, if health issues are either being inferred with any degree of certainty or if that inference is 
deliberately drawn and influences activities in any way. As processing special category data requires an Article 9 condition 
under the UK GDPR, it is good practice to identify this potential condition as early as possible, because the UK GDPR 
prohibits the processing of special category data without an Article 9 processing condition. 





30 Please note, these are initial considerations, which as explained earlier could change due to factors including the specific technical 
specification, architecture or construction of the SCV solution developed by industry or if any additional factual information is provided to the ICO 
about the processing activity. 
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4.27 


Due to this, the ICO provided the Commission with ICO guidance?! which provides a checklist of considerations organisations 
should take into account when processing special category data. This includes (among other points) determining the 
necessity of the processing, identifying an Article 6 lawful basis and Article 9 condition for processing, producing an 
Appropriate Policy Document and including specific information about the processing of special category data in privacy 
information. The ICO also advised the Commission that they may wish to edit or produce guidance on the processing of 
special category data. 


Special category data conditions 


4.28 


4.29 


4.30 


Taking the above into consideration, the ICO is of the view that Article 9 (2)(g) ‘processing is necessary for reasons of 
substantial public interest’ of the UK GDPR may be an appropriate condition for processing special category data for the 
SCV, if health issues are either being inferred with any degree of certainty or if that inference is deliberately drawn and 
influences activities in any way. Further consideration of this point will be required once operational details of the SCV are 
established. 


In order to rely on Article 9 (2)(g) as a condition for processing special category data, a substantial public interest condition 
as set out in Schedule 1, Part 2 of the DPA 2018 must be met. These conditions give a legal basis for relying on Article 9 
(2)(g). Therefore, the ICO also considered the appropriateness of relevant substantial public interest conditions for this 
processing and identified two which may be available. 


However, the ICO has advised the Commission that the applicability of these conditions will very much depend on how the 
SCV solution is developed by industry, which personal data is processed and the specific details of the data sharing to be 
engaged in by the gambling operators. 


31 https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for- 
processing/special-category-data/ 
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4.32 


4.33 


4.34 


Schedule 1, Part 2, Paragraph 18 of the DPA 2018 - ‘Safeguarding of children and individuals at risk’ 


The ICO is of the view that this substantial public interest condition may apply to the extent that the data indicates an 
individual with a health issue (if one is being identified or inferred). This does not need to apply to all the data subjects 
whose data is shared. 


In accordance with this condition, gambling operators need to demonstrate “(1)(a) the processing is necessary for the 
purposes of— (i) protecting an individual from neglect or physical, mental or emotional harm, or (ii) protecting the physical, 
mental or emotional well-being of an individual, (b) the individual is - (i) aged under 18, or (ii) aged 18 or over and at risk, 
(c) the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), 
and (d) the processing is necessary for reasons of substantial public interest." 


In these circumstances, the ICO is of the view that the processing may be necessary for one or both purposes in (1)(a), but 
this needs to be articulated with specific reference to individuals' mental or emotional harm or well-being. 


For an individual aged 18 or over to be considered 'at-risk', this condition requires that gambling operators can demonstrate 
that there is reasonable cause to suspect that there will be an individual (or, in fact, individuals) who "(3)(a) has (or have) 
needs for care and support, (b) is (or are) experiencing, or at risk of, neglect or physical, mental or emotional harm, and (c) 
as a result of those needs is (or are) unable to protect himself or herself (or themselves) against the neglect or harm or the 
risk of it." It is the ICO's view that: 


e In respect of 3(a) above, it is reasonable to consider that those with identified or inferred health issues related to 
gambling need care and support. 


e In respect of 3(b) above, it is reasonable to consider that those with identified or inferred health issues related to 
gambling will be experiencing or will be at risk of neglect, or physical, mental or emotional harm. 


e In respect of 3(c) above, it is reasonable to consider that as a result of an individual experiencing or being at risk of 
(a) and (b), in the context of identified or inferred health issues related to gambling, they are either unable to, or are 
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4.35 


4.36 


4.37 


4.38 


at risk of being unable to protect themselves from that neglect or harm set out in (b). In the virtual meeting that took 
place between the Commission and ICO on 11 May 2021, the ICO explained that sub-paragraph 4 also contains a 
provision which states “In sub-paragraph (1)(a), reference to the protection of an individual or of the well-being of an 
individual includes both protection relating to a particular individual and protection relating to a type of individual.” 
This provision therefore enables a controller to rely on the Paragraph 18 condition in relation to processing data of a 
group of individuals, as well as particular individuals, who are at risk. 


Considering the above, the ICO is of the view that this condition may be relied on in the context of data processing in 
connection with the SCV, but the ICO explained to the Commission that the applicability of this condition will ultimately 
depend on the final composition of the SCV and the processing that takes place in connection with it. In particular, analysis 
will need to be carried out to ensure that processing the data in this way is necessary and proportionate, for the purpose of 
safeguarding those individuals at risk. 


In terms of the other elements of this condition, the ICO accepts that obtaining the individual’s consent in all cases is not a 
realistic option in these circumstances and that there is a substantial public interest underlying the processing. Gambling 
operators need to be able to articulate these public interest benefits. 


Schedule 1, Part 2, Paragraph 19 of the DPA 2018 - ‘Safeguarding of economic well-being of certain 
individuals’ 


The ICO is of the view that it is reasonable to consider that this substantial public interest condition may apply where the 
data indicates a health issue related to problem gambling (if one is being identified or inferred), since this would make the 
individual less able to protect their economic well-being. 


The key consideration will be for the gambling operators to show that sharing data for the SCV is necessary and 
proportionate for the safeguarding of the economic well-being of those individuals with heath issues related to problem 
gambling. This will need to be kept under review as the SCV is developed by industry. 


Page 24 of 29 


ico. 


Information Commissioner's Office 


4.39 


In terms of the other elements of this condition, the ICO accepts that obtaining consent of all data subjects will not be 
realistic and that new Commission guidance taken with the statutory licensing objectives can be used to support operators in 
demonstrating that the processing is necessary for reasons of substantial public interest. 


Additional considerations 


4.40 


4.41 


4.42 


Controllership 


As explained in the ICO's guidance??, controllers are the main decision-makers, they exercise overall control over the 
purposes and means of the processing of personal data and processors handle data on behalf of controllers. The ICO advised 
the Commission that if they are to progress to Phase 2 of the Sandbox plan, it was likely that controllership would need to 
be considered in more detail, taking into account the roles that all organisations involved have in determining the purposes 
and means of the processing and how the SCV solution is run. 


Article 22 of the UK GDPR - Automated decision-making 


Article 22 (1) of the UK GDPR limits the circumstances in which controllers can make solely automated decisions (ie with no 
human involvement in the decision-making process), including those based on profiling, that have a legal or similarly 
significant effect on individuals. A legal effect is something that adversely affects someone's legal rights. Similarly significant 
effects are more difficult to define but would include, for example, automatic refusal of an online credit application. 


This type of decision-making can only be carried out where the decision is necessary for the entry into or performance of a 
contract, authorised by domestic law applicable to the controller, or based on the individual's explicit consent. In addition, if 





32 https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key- 
definitions/controllers-and-processors/ and https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- 
regulation-gdpr/controllers-and-processors/what-are-controllers-and-processors/ € 3 
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special category data is processed, organisations can only carry out the processing described in Article 22 (1) with the 
individual’s explicit consent, or where the processing is necessary for reasons of substantial public interest. 


4.43 From the ICO's discussion with the Commission during the virtual meeting on 11 May 2021, it is understood that in the 
conceptual SCV, it is envisaged that an individual will be automatically flagged to an online gambling operator at a certain 
point based on the individual’s behaviour, prompting the gambling operator to consider if they need to intervene. This 
process could also involve automated communications in the form of a pop-up or email being sent to the individual. 
Considering this, the ICO advised the Commission that if they were to progress to Phase 2 of the Sandbox plan, automated 
decision-making may need to be assessed in more detail when deployment of the SCV technology is considered. 


4.44 Further to the above, as part of its consultation on remote customer interaction, the Commission considered the issue of 
whether automated solutions following a trigger constituted a legal effect. The consultation stated that ‘The Commission 
would not consider triggers which lead to a temporary stop in gambling as a decision which produces legal effects, as the 
customer's contractual relationship is not ended and the decision can be addressed through further discussion between the 
operator and the customer.' As a result, the Commission currently considers that automated solutions could be included in 
the SCV solution and will continue to discuss this issue with the ICO ahead of a potential Phase 2 of the Sandbox. 


Article 21 of the UK GDPR - Right to object 


4.45 Article 21 of the UK GDPR gives individuals the right to object to the processing of their personal data in certain 
circumstances, depending on the purpose and the lawful basis for processing. This right allows individuals to request 
controllers to stop or prevent their data from being processed. As explained earlier in this report, the right to object is not 
an absolute right to prevent processing, as processing can continue if there is a compelling justification which overrides the 
individual's interests. Any objection received by an operator needs to be considered on a case-by-case basis. 


4.46 On 24 May 2021, the ICO provided the Commission with additional advice on the right to object as well as an example of 
how online gambling operators could communicate this right to data subjects. 
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5.1 


5.2 


5:3 


5.4 


Phase 1 completion statement 


As set out in the ICO's response to recommendations by the House of Lords Gambling Industry Select Committee in their 
Report on the Social and Economic Impact of the Gambling Industry??, data protection law should not be considered a 
barrier to sharing personal data. Instead, it should be viewed as a framework of safeguards to ensure fair, lawful, and 
proportionate data sharing. 


Through our engagement and based on the information provided by the Commission, the ICO has identified a number of 

lawful bases and special category data processing conditions under the data protection legislation that may be relied upon 
for the proposed collection and processing of behavioural data via the SCV, provided that the Commission is satisfied it is 
necessary to identify individuals who may be at risk of gambling related harms. 


Through engaging with the ICO's Sandbox service, the Commission has gained an understanding of when personal data 
becomes special category and the resulting implications. It also has a clear view of how the various lawful bases apply to the 
aims of the SCV project and has demonstrated to the ICO some of the clear benefits which could arise from the sharing of 
personal data for the purpose of minimising the risk of harm to gambling customers. 


The Commission has, during its work with us, demonstrated a commitment to ensuring the SCV is delivered in a way, which 
prioritises the interests of the public and players. We understand that as the regulator for commercial gambling in Great 
Britain, their ultimate goal in working with industry to establish SCV is to improve the protection offered to individuals from 
harms they may experience when gambling. 





33 https://ico.org.uk/media/about-the-ico/consultations/2619137/ico-response-to-hols-gambling-industry-sc-report-on-gambling-harms.pdf 
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5.5 If the decision is made to progress to Phase 2 of the Commission's Sandbox plan, the ICO look forward to working with the 
Commission and industry, where applicable, to provide expertise on wider data protection compliance implications of any 
SCV solution. 


Appendices 
Appendix 1 


Data points identified by the Commission as being in use by gambling operators for identifying customers at risk of gambling 
related harms: 


e Forename 

e Surname 

e Address (residential) 
e Address (payment) 

e Date of birth 

e Email address 

e I.P address 

e Device I.D 

e Payment card / wallet 
e Total deposits 

e Total withdrawals 

e Average deposit level 
e Deposit level variance (%) 
e Deposit frequency 

e Withdrawal frequency 
e Loss % 
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e Withdrawal reversals 

e Refund requests 

e Additional payment methods 

e Bonus / offer requests 

e Adverse information supplied 

e Session length 

e Session length change (%) 

e Session frequency 

e Session frequency change (%) 

e Reaction to interaction 

e Behaviour post interaction 

e Loss chasing 

e Average stake 

e Average stake change (%) 

e Intensity of play (spins / bets per session) 
e Product selection (high vs medium risk) 
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